[Oisf-users] Fwd: Async_oneside flag.

Rodolfo Etore rponteado at gmail.com
Wed Jun 4 13:15:21 UTC 2014

Sorry thats my bad,

Basically these two

c99 rules

(msg:"INDICATOR-COMPROMISE c99shell.php command request - phpinfo";
flow:to_server,established; content:"act=phpinfo"; fast_pattern;
http_uri; metadata:policy security-ips drop, service http;
classtype:policy-violation; sid:16628; rev:4;)
(msg:"INDICATOR-COMPROMISE c99shell.php command request - ls";
flow:to_server,established; content:"act=ls"; fast_pattern:only;
http_client_body; metadata:service http;
classtype:policy-violation; sid:22931; rev:4;)

2014-06-04 5:00 GMT-03:00 Victor Julien <lists at inliniac.net>:
> On 06/03/2014 10:54 PM, Rodolfo Etore wrote:
>> I have here a "problem" with asynchronous link, o read about this
>> feature on the configuration file:
>> async_oneside
>> I've turned it on and tried to get match on data with just one side of
>> the conversion like showed in the PCAP, but not hits at all
>> Is there anything i am doing wrong?, did i misunderstand this feature?
> Can you share how you are trying to match? What kind of rule?
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

Muito obrigado desde já

More information about the Oisf-users mailing list